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ABSTRACT: An Intrusion 
Detection System (IDS) identifies 
the attacks by analysing the 
events, considered undesirable 
from a security perspective, in 
systems and networks. It is 
necessary for organizations to 
install IDS for the protection of 
sensitive data due to an increase 
in the number of incidents related 
to network security. It is difficult 
to detect intrusions from a 
segment that is outside a network 
as well as an intrusion that 
originated from inside a 
distributed network. It should be 
the responsibility of IDS to 
analyse a huge amount of data 
without overloading the networks 
and monitoring systems. Mobile 
agents (MA) emerged due to the 
deficiencies and limitations in 
centralized IDS. These agents can 
perform predefined actions by 
detecting malicious activities. 
From previously published 
literature, it was deduced that 
most of the existing IDS based on 
MA are not significantly effective 


due to limited intrusion detection 
and high detection time. This 
study categorized existing IDS 
and available MA-IDS to conduct 
a strategic review focusing on the 
classification of each category, 
that is, data collection modes, 
architecture, analysis techniques, 
and security. The limitations and 
strengths of the discussed IDS are 
presented/showcased wherever 
applicable. Additionally, this 
study suggested ways to improve 
the efficiency of available MA- 
IDS in order to secure distributed 
networks in the future. This 
overview also includes different 
implementations of agent based 
IDS. 


INDEX TERMS: data mining, 
distributed systems, Intrusion 
Detection System (IDS), Mobile 
Agents (MA), network security 


I. INTRODUCTION 


The security of computer 
systems should be taken into 
consideration because it has turn 
out as the stake of companies [1]. 
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Identification mechanism of 
different activities over a network 
that may lead to compromise in 
the policy of security is known as 
intrusion detection technique [2]. 
IDS = aggregates/collects and 
analyzes a huge amount of data 
that is gathered from multiple 
access points of a network [3]. An 
intrusion is a group of actions 
aimed to harm any resource’s 
confidentiality, integrity and 
availability (CIA triad). An 
intrusion occurs when a system’s 
CIA guarantees are violated and 
vulnerabilities in security are 
exploited by an attacker or a 
group of attackers. Therefore, it is 
pertinent to have a system to 
detect intrusion in form of an 
auxiliary protection wall [2]. IDS 
keeps track of all outgoing and 
incoming network activities. It 
also detects unknown actions that 
may indicate a system intrusion or 
attack trying to intrude into a 
system [3]. IDS is an authorized 
mechanism used to detect and 
identify illegal users, 
vulnerabilities, and attacks having 
the potential to affect or damage 
the functioning of computer 
systems properly. Some sets of 
predefined actions are executed 
when IDS detects an intrusion [4]. 
Intrusions must be identified 
immediately to enact quick and 
effective remedial or corrective 
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actions. Hence, IDS is a crucial 
part of any security infrastructure 
since it is used to deal with 
network attacks [5]. The main 
objective of IDS is to detect 
unexpected access patterns and 
then respond to keep the system 
secure [6, 7]. 


Therefore, existing mobile 
agent intrusion detection systems 
(MA-IDS) are critically examined 
in this paper. The organization of 
the paper as follows: IDS is 
explained in second section in 
detail; third section provides an 
introduction of mobile agents; 
fourth section provides 
classification of IDS; fifth section 
analyses the existing available 
MA-IDSs; sixth section discusses 
the proposed architecture by 
considering the current design’s 
shortcomings; the last section 
provides the conclusion of the 
work. 


II. INTRUSION DETECTION 
SYSTEM 


In [8], some of the required 
features for IDS have been 
defined by authors with a focus on 


two themes: performance 
requirements and functional 
requirements. 


Some of the characteristics of 
these requirements are 
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summarized in [3] and given in 
the following section. 


A. Functional Requirements 


e IDS should monitor 
continuously and report the 
intrusion immediately [3]. 

eIn IDSs, the false alarm rate 
must be very low [3, 8]. 

eJDS must generate sufficient 
information to repair the system 
in case an intrusion is detected 
since IDS only provides alerts 
to the administrators without 
any recommendation of 
corrective actions [8, 9]. 

eIDS should react and detect 
coordinated and distributed 
attacks [9]. 

e IDS must adapt to the changes 
made in configuration and the 
network topology [3]. 


B. Performance Requirements 

e Real-time intrusion detection 
Should be done to reduce 
network damage [3]. 

e Scalability should be a part of 
IDS to handle additional loads 
of communications and 
computation [3, 10]. 


HI. 1 IDS LIMITATIONS 


In the initial designs, IDS 
faced the following shortcomings 
[2], [3], [140]: 


e High rate for false positive 
alerts. 
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e Degradation of efficiency: In a 
network, when IDS has to face 
a large number of events, it will 
drop the network packets and 
also slow down the system. 

e Vulnerability for attacks: 
Hierarchical structures provide 
opportunities to attackers to 
easily harm the IDS. 

e Time delay. 

e A single point of failure. 


e Reduced scalability. 
e Mutual communication among 
different IDSs is difficult. 


IV. MOBILE AGENTS 


At present, mobile agent 
technology is implemented to IDS 
in order to _ solve the 
aforementioned shortcomings. It 
is a specific software type agent 
that is capable of moving between 
multiple hosts over the network. 
MA is a software application that 
existed autonomously in a certain 
environment. It achieves its goals 
by sensing the environment and 
acting upon the available 
knowledge base [2]. 


A. Mobile Agent Advantages 


Mobile agents have the 
advantage of using static 
components in IDS [3] as 


specified below. 


1) Improved Network 
Latency: As the agents directly 
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operate on the host, hence they 


give a response faster as 
compared to the hierarchical 
systems, where the central 


coordinator has to take the actions 
[2], [3]. 


2) Network Load 
Reduction: Network load is 
reduced by sending only the agent 
code instead of audit data to 
central stations from sensors, 
since audit data may increase to 
huge amounts [3], [11]. 


3) Autonomous and 
synchronous Execution: To 
prevent the whole network, the 
agents can execute autonomously 
even when their parent process 
doesn’t exist anymore [3, 12]. 


4) Support for 
Heterogenous Platforms: Agents 
can run on hosts having any 
platform and are not platform 
dependent [11]. 


5) Dynamic Adaptation: 
Any feature can be added or 
removed to the system at run-time 
due to dynamic behaviour of the 
agents [3]. 


6) Static Adaptation: 
System restart is not required for 
an update of the agent’s algorithm 
when an attack signature is added 
to the IDS [3]. 


7) Scalability: By dividing at 
different hosts, the computational 
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load can be reduced on the system 
by using mobile agents [12]. 


8) Fault Tolerance/ 
Robustness: Due to the robust 
nature of mobile agents, fault 
tolerance is not an issue [11, 12]. 


Due to these features, mobile 
agent technology is really 
effective for solving the intrusion 
detection in a distributed network 
[13]. Hence, giving advent to MA 
based IDS. 


B. Mobile Agent Limitations 


Some shortcomings faced by 
MA-IDSs_ [2] include three 
limitations. 


1) High Time to Detection: 
There is a compatibility issue 
between the speed of MA 
solutions and the needs of IDS. 
One major challenge for MA-IDS 
is to improve the speed for the 
identification of — malicious 
activities [2, 15]. 


2) Performance: Although the 
detection performance of the MA 
paradigm increased extensively, 
the detection is still not effective 
for autonomous attacks. Even 
though agents are often written 
using scripting languages that 
support portability for different 
platforms, still their execution 
mode is very low comparatively 
against native codes [2, 16]. 
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3) Security: Another 
shortcoming is to protect from 
attacks, the protector 1.e. MA-IDS 
[2, 17]. 


V. CLASSIFICATION OF 
INTRUSION DETECTION 
SYSTEM 


Proper classification and good 
taxonomy have significant 
beneficial effects on the research 
of any field. Previously, several 
surveys have been conducted to 
define taxonomies and the 
classification of intrusion 
detection [18]. However, there is 
still no widely acceptable or 
applicable taxonomy for intrusion 
detection. “This may be, because 
of, it being a young research 
field and due to inherent 
complexity” [19]. 


Framework 


This paper aimed to classify 
IDS based on its basic features. 
The details of the proposed IDS 
classification are illustrated in 
Figure 1. Each element of this 
classification 1s discussed below. 


A. Framework 


The collection points where 
information is collected are either 
network-based or host-based and 
are represented as leaf nodes in a 
hierarchical framework. The 
internal nodes receive and 
aggregate the event information 
from several leaf nodes [20]. 
Furthermore, the abstraction, data 
reduction, and correlation take 
place at higher nodes and 
continue until the root node is 
accessed. 
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The intrusion detection and 
response generation are the 
responsibility of the root node, 
which is not only the command 
but also the control system. 
Information can move between 
any nodes in a network IDS 
framework. The collection and 
correlation of data, as well as the 
command-and-control system are 
integrated into every monitored 
system. Hybrid IDS comprises 
both a hierarchical IDS 
framework and a network [3, 20]. 


B. Intrusion Detection 
Behaviour 


There are two types of intrusion 
detection behaviour: anomaly 
detection and misuse detection. 
Anomaly IDS identifies the usage 
of normal behaviour patterns to 
detect any intrusions. Any 
deviation found from the normal 
constructed behaviour 1S 
determined to be an intrusion. 
Well defined attack patterns are 
used by the Misuse intrusion that 
exploits the application software 
to detect intrusion and 
vulnerabilities found in the 
system. These patterns are already 
defined and are used to compare 
the behaviour of the user to detect 
any sign of intrusion [21]. 
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C. Source 


Host-based IDS, also known as 
HIDS [3], derives and utilizes 
information from a single host of 
a system, whereas network-based 
IDS, also known as NIDS, utilizes 
the information that is derived 
from a LAN segment. 
Conversely, hybrid IDS [22] is a 
term used to describe a system 
that combines both NIDS and 
HIDS. 


D. Composition 


After 1980, when IDS was first 
introduced, several IDSs were 
designed and implemented for the 
centralized system [23]. The data 
analysis is done in centralized 
IDS on fixed locations, regardless 
of the number of hosts that are 
monitored. Distributed IDS 
analyzes a huge amount of data 
without putting additional load on 
monitored systems and the 
network. In a computing system, 
distributed sources are used to 
obtain data [2]. The distributed 
information is gathered by mobile 
agents autonomously and 
intelligently across the network. 
The limitations of the centralized 
system are overcome by the MA 
based IDS by performing 
distributed correlation with the 
use of the mobility feature of 
agents [3, 24]. 
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VI. ANALYSIS OF AVAILABLE 
MA-IDSs 


The technology of mobile 
agents has been proposed for 
intrusion detection due to the 
reduced cost of communication 
and new threats adaptability. New 
detection features can be easily 
added without restarting or 
rebuilding the IDS due to the 
independent execution of the 
agents. The following research in 
the domain of MA-based IDS was 
conducted focusing on the 
framework, data collection 
modes, security, their strengths 
and weaknesses. 


A. Autonomous Agents for 
Intrusion Detection (AAFID) 
[25] 

I) Framework: AAFID 

implements a hierarchical design 

based on the host to overcome the 
centralized system’s limitations. 

There are three layers in the 

system. The upper layer is called 

the procedure of the lower layer. 

Information is collected by the 

agent at the base level, after which 

suspicious data is searched. 

Subsequently, the collected 

information is sent to the 

transceiver in the top layer, as 

well as the one in each host. At a 

higher level, one or more 

transceivers send data to the 
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monitors, which they 
subsequently evaluate. 

2) Data Collection: Audit 
router delivers the audit 


information to the agents, which 
enables them to communicate 
with each other. Audit router 
contains the database of agents 
that are running. Agents after 
registering to this database get a 
handle that helps them 
communicate with other agents. 


3) Security: The AAFID 
architecture faces the problem of 
security as traditionally in the 
field of research of distributed 
systems. 


4) Technique: The higher- 
level elements in the AAFID 
architecture are Transceivers and 
Monitors. They are involved in 
the central analysis of the data 
based on the host as well as the 
network. The feasibility of the 
AAFID architecture is described 
and experimented by 
implementing the working 
prototypes using Perl and C 
language, having the advantage of 


easy portability for different 
platforms. 

5) Strength: Transceivers 
and monitors use system 


scalability to detect distributed 
attacks. 
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6) Problem: One of the 
major drawbacks of AAFID 
architectures is the delay in 
detecting the intrusion between 
monitor and agents caused by 
layers. Furthermore, the monitors 
constitute a single point of failure. 


B. Intelligent Mobile Agents 
for Intrusion Detection 
System (IMA-IDS) [26] 


1) Framework: IMA-IDS 
framework is based on four kinds 
of agents. 


a) Collector agent: ‘This 
agent is distributed over the 
network and is responsible for 


collecting the events which 
occurred in the host. 
b) Correlator agent: It 


gathers critical information and 
forwards it to the appropriate 
analyser agent. The predefined set 
of rules, specifying crucial events, 
are used by the correlator agents. 


Analyzer agent: Several 
analysis operations are performed 
by this agent, such as signature 
detection, protocol analysis, and 
anomaly detection. 


d) Manager agent: They 
generate alarms if they identify 
any anomaly in the results 
reported by the analyzer agents. 
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Communication agents can 
get information from other agents 
by requesting the manager agent. 


2) Data Collection: Data 
collection is based on both the 
network as well as the host. 


3) Technique: IDS is based 
on the centralized IDS model. The 
results, generated by the collector 
agents, inform the manager agent. 
who then passes them on to the 
analyzer agents. A higher level of 
correlation and analysis (anomaly 
and policy detection) is 
performed by the analyzers. 
Subsequently, the results of the 
analyzer agents are sent to the 
manager, and if any anomaly is 
found, they activate the alarms. 


4) Security: The security 
mechanism uses asymmetric 
cryptography to exchange keys 
between different hosts. This 
mechanism is based on Aglet 
Framework. 


5) Strength: Its agents can 
not only gather data but also 
respond to situations. They have 
increased efficiency, scalability, 
and flexibility when operating in 
a heterogeneous environment. 
Java is used to write the whole 
system, which makes this agent 
very portable. It is able to run on 
any platform supporting Java. 
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6) Problem: One of the 
major disadvantages of the IMA- 
IDS architecture is the security. If 
an attacker has deep knowledge 
and expertise of Aglet, then 
mobile agents can be modified to 
harm the host, due to which the 
host can cause damage to the 
mobile agents. 


C. A Mobile Agent-based 
Programmable Hybrid 
Intrusion Detection System 
(APHIDS) [27] 


I) Framework: APHIDS 
uses a network-based framework 
and places an agent engine in the 
network at each site. Its 
implemented in the form of a 
distributed layer on top of the 
engines of the distributed agent. 
By designing a system that 
can distribute tasks efficiently 
and flexibly for analysis and 
monitoring, this framework takes 
advantage of mobile agent 
technology. It is also capable of 
existing detection technologies 
integration. 


2) Data Collection: Data 
collection and detection activities 
are distributed by this architecture 
to the host and the network, both 
of which are the existing 
monitoring systems. 
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3) Security: In this 
framework, the security for the 
agents is not considered. 


4) Technique: Anomalous 
activity on the network is defined 
as trigger. For detection action, 
the trigger agent has to be 
programmed. 


A set of Distributed 
Correlation Script (DCS) is 
provided as input to the system. It 
correlates a trigger event with a 
set of analytical activities to be 
executed when an event is 
detected. MA are implemented 
for a distributed analysis and 
search. 


5) Strengths: The use of 
lightweight analysis agents 
reduce the bandwidth usage 


during log data transfer. Expert 
knowledge regarding 
administrator of security is 
gathered by DCS and automating 
standard processes of 
investigation that are carried out 
in response to an occurrence. 


6) Problem: Agent’s 
security is not taken into account. 


D. Mobile Agent for Network 
Intrusion Resistance [28] 


1) Framework: The 
following components are 
contained in the designed 
framework of IDS. 
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a) Manager: It controls and 
adjusts other parts of the system. 
It also maintains configuration 
information of other components. 
It receives alarms in response to 
intrusions from the host MA 
monitor. Subsequently, an 
intrusion response is executed by 
it. 


b) Host monitor MA: Over the 
network, this is maintained on 
every host. In response to the 
intrusion, an appeal is sent to the 
manager by the monitor of the 
host MA to directly report the 
anomaly activity. Once the appeal 
is received, the manager 
distributes a data gathering MA 
patrolling to collect the 
information. Upon detecting the 
distributed intrusion, an intrusion 
response MA is activated by the 
manager to respond to each host 
being monitored intelligently. 


2) Data Collection: In this 
framework, the source of data is 
both networks as well host based. 
There are different types of data 
collection, such as audit records 
and system logs. 


3) Techniques: The log files 
of the monitored host system are 
analysed by the mobile agent, 
which are then compared with the 
predefined signatures of the 
attacks to detect abnormal actions 
or intrusions. 
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4) Security: Aglet response 
is the security mechanism base of 
this framework. 


5) Strengths: This system 
changed the traditional 
hierarchical structure of a 
distributed IDS. 


6) Problem: A significant 
part of the IDS is carried out by 
the control centre. The system can 
collapse if the location is 
discovered by this centre. 


E. Intrusion Detection Agent 
System (IDA) [29] 


1) Framework: It is an 
intrusion detection technique 
based on the implementation of 
the mobile agent. It is based on a 
basic framework that includes 
several types of agents, sensors, 
and a central manager for each 
network segment. The collection 
and analysis of the information is 
the responsibility of the central 
manager. 


The network traffic is 
monitored by the sensors. The 
first type of agent examines the 
logs in detail and is known as 
Information Gathering Agent 
(IGA). The second type of agent 
is named the tracing agent. It is 
responsible for tracing the attack 
source. These agents work by 





coordinating with IDAs. The 
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facilitate agents to communicate 
with the manager and each other 
as well. 


2) Data Collection: Agents 
collect the information on the 
intruder and the intrusion. The 
central manager collects and 
analyses the information using 
sensors. 


3) Security: The  agent’s 
security is managed from a central 
location. 


4) Technique:The main goal 
of IDA is to detect intrusions by 
scanning MLSI or to detect any 


marks left by an intruder who is 
currently in the stage of mark. 


5) Strength: The agent 
distribution and communication 
protocol are fully described. 


6) Problem: One of the main 
drawbacks of the IDA 
architecture is scalability since 
only a few sensors and agents are 
dealt with by the central 
managers.A comparison of the 
classification features of the 
reviewed MA-IDS 1s illustrated in 
Table 1. It is observed that some 
of these IDS are still facing 
drawbacks while some are strong 
in comparison. 


TABLE 1 
COMPARISON OF REVIEWED MA-IDS 


Sr. Data 
No. Paper Framework Behavior Collection 
l l Anomaly Network 
I [aa] Micrarchical Detection based 
2 [26] Network Hybrid Hybrid 
Anomaly 
3 [27] Network Detection Hybrid 
4 [28] Hierarchical Hybrid Hybrid 
À Misuse Host 
a [22] ens Detection Based 
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Security Technique Strength Problem 
Not Central oi Delay in 
Considered Analysis scalability detection 
Asymmetric 
Cryptography Statistical Scalability & Security 
based on Aglet Analysis Portability 
Framework 
. l gent 
Not Correlation Lightiwerehi Security 
. l Analysis 
Considered Scripts Aai Not 
8 Considered 
Aglet Anasi peA a Central 
Basedon Hierarchical 
Framework Control 
Rules Structure 
MLSI 
Centrally aa i Communicati e 
Scalability 
managed on Protocol 
Suspected 
Intruder) 
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VII. SUGGESTED FEATURES FOR 
MA-IDS IMPROVEMENTS 


In [30, 31] authors suggested 
that the research on use of mobile 
agents in IDS should be 
considered in these three 
categories as follows 


A. New Detection Paradigm 


The intrusion detection 
techniques must be improved. 


B. New Architecture Paradigm 


New Architecture Paradigm 
should decide upon the 
architecture of the IDS according 
to the requirements of the systems 
by answering these questions. 


Does it follow network IDS 
architecture, Hybrid IDS 
architecture, or hierarchical 


architecture of IDS? 
C. Amendments 


Amendments should be made to 
the design that exists already. For 
example, the rate of false alarm 
can be reduced. 


To address the limitations of 
the available IDS based on MA 
and enhance the MA-IDS, this 
article presents some suggestions 


based on the features given 
below: 
1) Framework: The nature 


of hierarchical architecture 1s 
inflexible because of the lines of 
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communication and exact 
functioning that tend to become 
connected with their components 
as discussed in the section on IDS 
categorization. Due to the 
unconstrained flow of 
communication, the network 
framework faces an issue related 


to the inefficiency in 
communications [2]. A hybrid 
model enabling free 


communication 1s recommended 
as the method of merging the best 
features of network and 
hierarchical systems. 


2) Behaviour: As in the case 
of anomaly-based IDS, a hybrid 
approach is proposed based on the 
combination of both misuse and 
anomaly in order to solve the 
problem of high false positive. 


3) Source: Network as well 
as Host based. 


4) Security: “Because an 
agent's code cannot be altered by 
an attacker to make it harmful, 
security risks can be significantly 
reduced if processing 1s restricted 
by MA-IDS system to just those 
agents who are signed digitally by 
a security administrator” [2]. 


Signing the code or any other 
object with a digital signature is a 
fundamental mechanism required 
to protect an agent. A digital 
signature can be defined as an 
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electronic equivalent of any hand- 
written signature, which may be 
used to verify an object's 
integrity, validity, and origin. In 
light of these efficient and secure 
features, Digital Signature 
Algorithm (DSA) is suggested to 
secure the mobile agents. 


5) Technique: Data mining 
techniques, focusing on_ the 
extraction of closed frequent 
patterns, are used for detecting 
intrusions. 


VIII. CONCLUSION 


This study showcased an 
unconventional classification of a 
typical IDS. Furthermore, the 
selected features of the existing 
MA-IDS, such as framework, 
data collection, technique of 
detection, security and strength 
measures along with the 
weaknesses, were critically 
reviewed in this study. It is 
explored that these existing 
systems are facing yet some 
drawbacks and strengths as well. 
Subsequently, suggestions were 
outlined based on the identified 
limitations to enhance the MA- 
IDS. IDS are critical for ensuring 
the survival and security of 
information systems against 
intrusions. Many network 
resources are used by centralised 
IDS and is the only failure point. 
The shortcomings of centralised 
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IDS were addressed by using MA 
platforms. These platforms 
operate the system effectively and 
dynamically. Moreover, they 
respond to the rules of an event 
and changes of network. MA-IDS 
are better than centralised IDS in 
terms of performance and can 
report intrusions instantaneously. 
A general definition of IDS 
architecture, requirements, and 
limitations is provided in this 
paper. It also provides a 
comprehensive comparison of 
several IDS. In future more work 
will be done for detecting attacks 
in large data which are even more 
complex. 
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